XXE in eclipse IDE
Basic information
Project name: org.eclipse.pde org.eclipse.jdt org.eclipse.platform org.eclipse.osgi
Project id: {id}
What are the affected versions?
probably all
Details of the issue
SonarLint reports many possible XXE attacks in eclipse IDE's sourcecode.
for example:
Steps to reproduce
Don't know. Probably manipulating development xml-files like "build.xml", "plugin.xml", "feature.xml", ".polyglot.feature.xml", ... which should be normally self contained and do not require access from external sources.
Do you know any mitigations of the issue?
https://rules.sonarsource.com/java/RSPEC-2755 recommends to replace "SAXParserFactory.newInstance();" with code that disables external access by properties see also https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
Activity
Similar Code was fixed here: https://bugs.eclipse.org/bugs/show_bug.cgi?id=577341
@mrybczyn when and how the projects where informed? I am committer on eclipse.platform myself and did not receive any notification.
Thank you @jkubitz for reporting an issue with the assignment. There was a technical glitch and people should be added correctly this time.
@mrybczyn please add also Jonah Graham jonah@kichwacoders.com and Ed Merks ed.merks@gmail.com
@mrybczyn ping
@jkubitz added both. We can also split this issue per-project if it makes sense
assigned to @hwellmannwr6
assigned to @vchandra
assigned to @sasinha
assigned to @ngupta
assigned to @mpalat
assigned to @ktatavarthi
assigned to @jarthanaree
assigned to @akurtakov
assigned to @lvogel
assigned to @mistria
assigned to @slakkimsetti
assigned to @hargrave
assigned to @mhoffmannp88
assigned to @jalbertjsd
